Session 22

Safety Management
Safety Management - 2
Contents
Evolution of Safety Regulation Systems
Level 1: Prescriptive standards
Level 2: Process standards
Level 3: Risk-based safety management (non-prescriptive standards)
Level 4: Safety Management System

Safety Management Processes
Safety management system and manual
Safety management plan

Safety Management System (SMS)
Purpose and scope
Grand Challenges of SMS


Note: Some additional slides in lecture appendix


Safety Management - 3
A Typical Safety Argument
Recall: (from this morning)
Top-level goal
Usually in context that defines
what adequate safety means
Primary Argument
Risks are appropriately
controlled
Secondary Argument
Validity of the primary argument
Adequacy, and correct use, of
the processes
Evidence
Supports all elements of
argument
System and/or
Organisation are
Sufficiently Safe
All Hazards are
Sufficiently
Mitigated Against
Methods and Processes
Used to Construct Safety
Case and its Evidence are
Fit For Purpose
...
... ...
...
Argument over
individual hazards
Argument over
individual methods
and processes
Definition of
Sufficiently Safe:
Mandatory Safety
Targets
Description of the
methodology
List of identified
hazards
...
Evidenceof implementation
...
Evidenceof theprocess being followed
Safety Management - 4
Prescriptive Standards
Regulator
Prescribes particular detailed
solution

Company / Certificate Holder
Ensures that standards are
followed
Produces evidence that
solution has been
appropriately implemented

Assumption (is it valid?)
By implication, regulator has
constructed appropriate safety
case showing that solutions
yield overall safety goal
System and/or
Organisation are
Sufficiently Safe
All Hazards are
Sufficiently
Mitigated Against
Methods and Processes
Used to Construct Safety
Case and its Evidence are
Fit For Purpose
...
... ...
...
Argument over
individual hazards
Argument over
individual methods
and processes
Definition of
Sufficiently Safe:
Mandatory Safety
Targets
Description of the
methodology
List of identified
hazards
...
Evidenceof implementation
...
Evidenceof theprocessbeingfollowed
Safety Case is trustworthy
because of trustworthiness of
the expertise of the regulator
Safety Management - 5
Prescriptive Standards
Can be sufficient if
There are few companies in a regulated sector
Regulator has good oversight of what each company is doing
Few differences between companies
There is a high level of state participation
Heavy regulation is perceived acceptable by companies
Systems (social and technical components) are relatively stable
High degree of confidence in prescribed solution, e.g. military aviation in the
inter-war / post war period

Still workable for technical systems where there are accepted
solutions

Unsuitable when there are too many differences between
organisations
For example, the general regulation of civil aviation
Need a less prescriptive, more flexible and responsive approach
Safety Management - 6
Process Standards
Regulator
Sets overall safety requirements
Prescribes safety and verification
processes

Company / Certificate Holder
Uses the process to design the
socio-technical system
Makes argument that proposed
mechanisms will be sufficient
Provides evidence that process
followed and design implemented

Assumptions
Implicit Secondary Argument
Reflects regulators judgement
System and/or
Organisation are
Sufficiently Safe
All Hazards are
Sufficiently
Mitigated Against
Methods and Processes
Used to Construct Safety
Case and its Evidence are
Fit For Purpose
...
... ...
...
Argument over
individual hazards
Argument over
individual methods
and processes
Definition of
Sufficiently Safe:
Mandatory Safety
Targets
Description of the
methodology
List of identified
hazards
...
Evidenceof implementation
...
Evidenceof theprocess being followed
The process is
appropriate because it is
suggested by the
regulator (with vast
experience and
expertise)
Safety Management - 7
Process Standards
Work well in some sub-sectors, where there is:
Degree of similarity between regulated organisations / products
Relatively slow and gradual evolution of practices in the sector
e.g. some aspects of aircraft design / type certification

Unsuitable where there are fundamentally different
business models
For example, modern civil aviation sector as a whole



Safety Management - 8
Risk-Based Approach
Company / Certificate Holder
Selects the most appropriate
methods and processes
Uses them to identify appropriate
mechanisms for ensuring sufficient
level of safety
Produces valid and coherent
argument of safety plus supporting
evidence (i.e. safety case)

Regulator
Sets overall safety targets
Audits the safety case based on
accumulated expertise
May take into account items in
Significant Issues List (SIL)
System and/or
Organisation are
Sufficiently Safe
All Hazards are
Sufficiently
Mitigated Against
Methods and Processes
Used to Construct Safety
Case and its Evidence are
Fit For Purpose
...
... ...
...
Argument over
individual hazards
Argument over
individual methods
and processes
Definition of
Sufficiently Safe:
Mandatory Safety
Targets
Description of the
methodology
List of identified
hazards
...
Evidenceof implementation
...
Evidenceof theprocessbeingfollowed
Significant Safety
Issues List (SIL)
Safety Management - 9
Risk-Based Approach
Advantages
Enables companies to develop solutions suitable for their business
Input from regulator is at strategic policy level, e.g. top-level goals
Makes it clear that companies have liability
No we complied with your standards argument
Original risk-based approaches are now considered incomplete
Safety activities of different organisations may not be coordinated
e.g. supply chain
Safety not fully integrated into the management of the business
Need to address soft issues: human factors, training, culture (see Part
2 of lecture)
Too static on its own
Assumes ideal safety case the first time
Practice may diverge from safety case
Organisation and operational context may change
Doesnt require or encourage learning
Reactive approach to safety management
Safety Management - 10
Safety Management
A safety management system (SMS)
is defined for an organisation
sets out approach to ensuring safety in all aspects of an
organisations business
covers operation and general principles of development
although not details of specific projects
is typically documented in a safety management manual (SMM)
A system safety programme plan (SSPP)
is defined for a project
details safety-specific activities and products, e.g. safety cases
will link to project plans, e.g. milestones and reviews
will derive some of its contents from the SMS
but may over-ride the SMS, e.g. to reflect national legislation
Focus on functional safety not occupational health and safety
Safety Management - 11
Purpose of an SMS
Primary aim
to provide a framework for the planning, execution and
monitoring of all activities needed to meet safety objectives
including policies for reducing / managing risk
Secondary aims
to ensure consistency between projects
e.g. by using same risk assessment criteria
to help meet / discharge legal and moral obligations
e.g. the duty of care
to contain liability, should an accident occur
Aims met by setting out
organisation and responsibilities, e.g. for decision making
policies, e.g. on acceptable levels of risk
procedures, e.g. for incident reporting
Safety Management - 12
ICAO SMM 2006
Overview
Responsibility for Managing
Safety
State Safety programme
Understanding Safety
Basics of Safety Management
Risk Management
Hazard and Incident Reporting
Safety Investigations
Safety Analysis and Safety
Studies
Safety Performance Monitoring
Emergency Response Planning
Establishing an SMS
Safety Assessments
Safety Auditing
Practical considerations for
operating a SMS
Aircraft Operations
Air Traffic Services
Aerodrome Operations
Aircraft Maintenance
ICAO SMS: a systematic approach to managing safety,
including the necessary organizational structures,
accountabilities, policies and procedures.
Safety Management - 13
Safety Management System- ICAO 9859 View
Embeds safety case into feedback
and review layers
Continuous safety performance
monitoring
Against clearly defined indicators
and targets
Periodic internal SMS review
Thorough, open-ended
Review of all relevant data
Improve cost-effectiveness
and safety
Significant events investigations
Internal (staff self-reporting)
Non-punitive!
Accidents & Incidents
Regulator lead
External audits
Regulator
Safety Management - 14
Safety Management System- ICAO 9859 View
Documented and Implemented policies and procedures for managing risks
that integrate operations and technical systems with the management of
financial and human resources to ensure aviation safety and the safety of
the public

SMS standards apply general principles for a particular application
But no prescriptive or process requirements

Massive change in companies safety management philosophy
Complete responsibility for safety
Must understand what safety means and how is it being achieved
In the context of their business and operations

Significant change in philosophy of regulation
Regulator checks whether operators have asked themselves all right questions
and responded adequately
Regulator ensures that information is disseminated in the sector
Significantly more space for a subjective judgement
Based on the vast accumulated knowledge
Safety Management - 15
SMS Questions to ask
Strategy and basic organisation:
What are overall safety objectives?
Objective and measurable!
What is the safety management organisation?
Who has key responsibilities?
How are they supported?
Basic risk management:
What are hazards and risks of the operations?
Consider all aspects of operations and the environment
How do we ensure safety of our basic activities, considering:
Communication and collaborative working
Special challenges
Monitoring and performance evaluation:
How do we check that safety management is effective?
How do we notice safety issues before these develop into accidents?
Safety Management - 16
SMS Questions to ask
Emergency Planning:
What do we do if things go wrong?
To minimise the effects
How do we prepare ourselves to learn from experience?

Change:
How do we ensure that our organisation remains safe?
In the context of changes to operations and environment
In the context of changes to safety management practices

Proactive learning:
How do we ensure organisation itself doesnt become a source of
risk?
How do we drive improvement process?
How do we identify promising changes?


Safety Management - 17
SMS: Challenges
Culture & paradigm shift
Higher degree of responsibility
Longer-term investment
Developing SMS from first
principles
Changing climate and attitudes
in the organisation
Non-punitive reporting
Encouraging whistle blowing
Making staff aware of SMS in
general and their roles in
particular
Reliance on genuine
commitment!
Regulation approach
Presumed trust
Steep punitive pyramid if
trust is abused
From inspections to audits
More flexible / open-ended
More constructive
More time-consuming!
Require more judgment

Small/Medium Enterprises
(SME)
Too complex an approach for
small businesses?
Too much of an investment
necessary?

Very large companies
Safety Management - 18
Rail Safety Management
Example 2: Rail Safety Management systems
Designed to limit risk of injury to persons or damage to property;
and protect commercial interests by running safe railway
Legislated for by the Australian Rail Safety Act 1998
Rail Safety Regulations 1999 Part 2 reference Australian Standard
AS 4292.1, as the standard for Rail Safety Management

AS/NZ 4292 Rail Safety Management
Section 1: Scope and General
Section 2: Management Policy and Structure
Section 3: Risk and Incident Management
Section 4: Personnel Management
Section 5: Goods and Services Procurement
Section 6: Engineering and Operational Systems Safety
Section 7: Interstate Operation (not contractor requirements)
Safety Management - 19
Organisation and Responsibilities
Ultimate responsibility for safety at the top
main board for a company
perhaps just the Engineering or Technical Director
Secretary of State for the U.K. MoD
Organisation defines
delegation of responsibility
named individuals / posts with sign off authority
committees and other joint management
to ensure appropriate knowledge brought to bear, e.g. design,
operations, maintenance
communication paths
e.g. for incident reporting
independent reporting chain
so junior staff can report safety concerns outside the line
Safety Management - 20
Independent Reporting
Purpose of independent reporting
management decisions are often compromises
may sometimes treat safety inappropriately
independent mechanisms
give way for concerned engineers to bring such lapses to senior
management attention
once attempts to resolve locally have failed
Often have separate director for independent reporting
e.g. Quality Director, when projects report to Technical or
Engineering Director
Use of independent reporting should be exceptions
a good safety culture will promote resolution in the line
Final resort
whistle-blowing
Safety Management - 21
Purpose of an SSPP
Primary aim
to define the process for achieving and assessing product safety,
for a given project
including defining links to the primary development plans
Secondary aim
to ensure project risks are controlled, as well as safety risks
for example, by defining a safety case strategy early in the project
Aims met by setting out
product identification and project scope
project organisation and responsibilities
requirements and applicable standards
hazard log and hazard tracking strategy
safety case strategy
a technical plan, e.g. a bar chart, and definition of methods
Safety Management - 22
Organisation and Responsibilities
Project Leader
safety responsibility for the project
accepts and signs off key documents
ultimately makes decisions
trade-offs between safety and availability
but advised by various committees (e.g. System Safety Panel)

Primary safety work
done by designers, or safety specialists
at minimum, specialists act as independent reviewers

Independent Verification and Validation (IV&V)
main design assessment work, independent of designers
e.g. review and testing
Safety Management - 23
Technical Plan
Programme of work
technical safety activities
bar chart expanding on PHI, PHA, etc.
defined in a phased manner
e.g. plan for SSHA defined as a result of PHA and associated
design revisions
identify what methods or techniques to use at each stage
define methods or techniques
e.g. guidewords and team structure for HAZOP
often done by reference to other company documentation
link to development plan

Safety Case Strategy
how it is intended to demonstrate safety
Safety Management - 24
ISAs
Independent Safety Auditor (ISA)
provides independent check that
plan implemented as defined
analogy with financial auditor
usually audits SMP and method definitions
and samples other deliverables
is not intended to give advice
Can be confusion with
Independent Safety Advisor
providing advice to help direct project, not check on progress
Independent Safety Assessor
safety aspect of IV&V, as defined here
Other specialist advisors, if needed
e.g. on nuclear safety, lasers or software
Safety Management - 25
Managing Safety Risk
Best approach is to establish a single, closed loop,
hazard tracking system
to be used throughout development and in service
Most safety standards require establishment of a Hazard
Log, with entries for (at least)
description of hazard, and hazard risk index
status of hazard and its control
residual risk
actions to address the hazard
recommended hazard controls
signature of appropriate authority to close out
Explicit hazard log not a requirement of ARP guidance
systematic approach to tracking safety issues clearly a necessity
Safety Management - 26
Hazard Log Entry
Hazard No. HM034
Hazard Title Windscreen overheats Status: Open
Description Loss of structural integrity of windscreen due to overheating
Cons. A3 Sev. 2 Prob. 3e-8 HRI: 10
Closure
Summary
Primary
effects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraft
Systems Structures, Elec. Heating, ECS Heating, Warning
Responsibility Electrical
Risk assessment results - separate
consequence description
Responsibility
assigned
Action not specified - will be for
reduction of hazard probability
Safety Management - 27
Hazard Tracking Example
Hazard No. HM034
Hazard Title Windscreen overheats
2/7/94 PHA Report BAe/WAW/075 Hazard Identified
10/4/96 SCR Assessment accepted for development flying, within
specified reduced envelope, at 9
th
CSG
20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability for
hazard log summary (table updated)
Hazard No. used as
cross-reference to log
Progress of hazard
management from
identification to closure
Decision before mitigation
action complete - flight
restriction to manage risk
Safety Management - 28
Revised Hazard Log Entry
Hazard No. HM034
Hazard Title Windscreen overheats Status: Closed
Description Loss of structural integrity of windscreen due to overheating
Cons. A3 Sev. 2 Prob. 2e-10 HRI: 18
Closure
Summary
Anti-misting system reduces probability of hazard to tolerable
level. Training required to ensure pilots use anti-misting
system, in appropriate conditions.
Primary
effects
Windscreen: strength reduced / damaged / fractured
Consequences Pilot injury, and possible loss of aircraft
Systems Structures, Elec. Heating, ECS Heating, Warning
Responsibility Electrical
Revised HRI
(now Tolerable)
Reduced hazard
probability
Closure added
Note: other entries not modified
nature of hazard not changed
May be better to have
new entry, so change
can be seen explicitly
Safety Management - 29
Safety Life-Cycle - Link to Hazard Log
- Platform Concept
- Initial Hazard List
- Safe Platform
- Safety Case
(Predictive) Causal Analysis Causal Analysis
Integration of Safety Evidence
PSSA SSA
Hazard Identification
Consequence Analysis
FHA
PHI
1. Initial entry made
2. Severity added
3. Risk estimate added
4. Risk estimate revised
5. Risk figure finalised
Risk reduction action

Design completed
Numbered items are actions on hazard log
Safety Management - 30
Management of Hazard Log 1
Hazard log
produced and maintained during development
tool support desirable
specialist tools, but can do with a database
issued periodically (hazard log reports)
open hazards reviewed
decisions on tolerable levels of reduction made
this is (typically) an ALARP decision
may need to involve operational authority
is almost inevitably assessed by a committee (e.g. the Project Safety
Panel)
Panel will have to balance cost and likely risk reduction
period depends on scale of project, number of open risks, etc.
may also be on identification of significant new risk
Safety Management - 31
Management of Hazard Log 2
Hazard No. HM034
Hazard Title Windscreen overheats
2/7/94 PHA Report BAe/WAW/075 Hazard Identified
10/4/96 SCR Assessment accepted for development flying, within
specified reduced envelope, at 9
th
CSG
20/9/96 SCR Assessment for Windscreen anti-misting system
(BAe/WAW/487 Issue D updated with amended reliability for
hazard log summary (table updated)
Hazard No. HM034
Hazard Title Windscreen overheats Status: Closed
Description Loss of structural integrity of windscreen due to overheating
Cons. A3 Sev. 2 Prob. 2e-10 HRI: 18
Closure
Summary
Anti-misting system reduces probability of hazard to tolerable
level. Training required to ensure pilots use anti-misting
system, in appropriate conditions.
Consider use of web technology to manage log
Consequence
Description
Fault Tree
Analysis
Instance of
HRI Table
PHI (A) Report
Meeting Minutes
Safety Analysis Report
Extract from Hazard Log

Extract from Hazard
Tracking System
Safety Management - 32
Transition to Service
Handover of hazard log to operational authority

joint review of hazard log / hazard tracking system
all risks addressed
all risks reduced ALARP, or practical procedures to manage
e.g. operational limitations, pending remedial development
will need sign off by operational authority
status of ongoing remedial action adequately understood

hazard log passed on as basis for operational safety
management
FRACAS - so the severity of events (incidents) is known
action limits to give early warning of impending problems
Safety Management - 33
Operational Safety
Safety management does not stop at end of development
process
Also need to ensure operation is accident free
or at least to keep accidents to a tolerable level
Main safety-related activities in-service are:
maintenance
preserve (safety related) system as designed and manufactured
improve the design where design not safe enough, or
improvements now possible
monitoring and management of failures
Accident and incident analysis
Monitoring and evaluation of failures
Corrective actions based as a result of analysis
ARP 5150 defines systematic approach
Safety Management - 34
ARP 5150 Monitoring Process
ESTABLISH
EXPECTATIONS
ESTABLISH
MONITOR
PARAMETE
RS COLLECT &
ANALYZE
DATA
PROBLEM
OR
TREND
NOTED?
NO
L
E
S
S
O
N
S
L
E
A
R
N
E
D
ASSESS
EVENT
& RISK
SIGNIFICANT
EVENT-- ACTION
REQUIRED?
INTERNAL
/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFY
RESPONSIBLE
PARTY
A
SELECT
ACTION
ACTION
APPROVED?
NO
YE
S
MORE
ANALYSIS?
YES
ACTION
APPLICABILIT
Y REVIEW
IMPLEMENT
ACTION?
SCHEDULE
DOCUMENT &
CLOSE
NO
YES
INPUTS
FROM OTHER
LEVELS OR
MONITORING
OUPUT TO "ASSESS
EVENT AND RISK"
AT OTHER LEVEL(S)
ACTIONS
FROM OTHER
LEVELS OR
SOURCES
DEVELOP
ACTIONS
ACTIONS
TO OTHER
LEVELS
DETERMINE
INTERNAL/
EXTERNAL
ISSUE
RESOLUTION
YES
REVIEW
SELECTED
ACTION FOR
APPROVAL
NO
YE
S
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event & Risk
Develop Action Plan Disposition Action Plan
IMPLEMENT
Safety Management - 35
Roles in ARP 5150 Process
Supplier Assessment
Process
Airframer Assessment
Process
Operator Assessment
Process
ESTABLISH
EXPECTATIONS
ESTABLISH
MONITOR
PARAMETERS
COLLECT &
ANALYZE DATA
PROBLEM
OR
TREND
NOTED?
NO
L
E
S
S
O
N
S

L
E
A
R
N
E
D
ASSESS
EVENT
& RISK
SIGNIFICANT EVENT--
ACTION REQUIRED?
INTERNAL
/ EXTERNAL
ACTION?
INT
EXT
NO
NOTIFY
RESPONSIBL
E PARTY
A
SELECT ACTION
ACTION
APPROVED?
NO
YES
MORE
ANALYSIS?
YES
ACTION
APPLICABILITY
REVIEW
IMPLEMENT
ACTION?
SCHEDULE
DOCUMENT &
CLOSE
NO
YES
INPUTS
FROM
OTHER lEVELS OR
MONITORING
ACTIONS
FROM OTHER LEVELS
OR SOURCES
DEVELOP
ACTIONS
ACTIONS
TO OTHER
LEVELS
DETERMINE
INTERNAL/
EXTERNAL ISSUE
RESOLUTION
YES
REVIEW
SELECTED
ACTION FOR
APPROVAL
NO
YES
A
A
Establish Monitor Parameters
Monitor For Events
Assess Event &Risk
Develop Action Plan Disposition Action Plan
IMPLEMENT
OUPUT TO "ASSESS
EVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESS
EVENT AND RISK"
AT OTHER LEVEL(S)
OUPUT TO "ASSESS
EVENT AND RISK"
AT OTHER LEVEL(S)
INPUTS
FROM
OTHER lEVELS OR
MONITORING
INPUTS
FROM
OTHER lEVELS OR
MONITORING
ACTIONS
FROM OTHER
LEVELS OR
SOURCES
ACTIONS
FROM OTHER LEVELS
OR SOURCES
Safety Management - 36
Observations
SMS/SMM and SSPP may overlap a lot
dont repeat, refer (but better to repeat than not to write it down!)

SSPP may legitimately conflict with SMS/SMM
e.g. if product is for a new market, uses new technology, or
involves work with another company

It is possible to overwhelm a project with plans
if the safety activities are limited, just extend the main plan

Ultimately, safety is achieved by people
the way they work (and the culture in which they work) are key
Slides 37-42 are to be used as reference material and
will not be presented



Safety Management - 37
Organisational Concerns
Compliance-oriented
Do minimum - anything more
is beyond ALARP

Reactive / inertial framework
Assume right until proven
otherwise
Looking for safety issues
discouraged
Unfair reporting systems
Static safety management
Assume environment and
organisation unchanging
Ignore uncertainty in safety
assessment
No fixed requirements
Provides rational incentives for
over-compliance
Reinforces ALARP
Proactive framework
Only assumes SMS is good
enough to operate
Recognise inherent uncertainty
Proactive & predictive feedback
Fair (non-punitive) reporting
Active management of change and
uncertainty
Assess changes
Monitor performance
Periodically review the whole SMS
Concerns SMS response
Safety Management - 38
Organisational Concerns
Safety an over the wall activity
Not integrated into overall
management
Unrealistic policies
Clumsy internal regulation
Unmanageably complex and
bureaucratic
Not acted upon


Poor safety culture
Its something we have to do to
tick regulators boxes
Its of no utility to business
Accidents are too unlikely to worry
You need to really try to cause
an accident
Integrated approach to safety
Integrated into overall
management
Rational & realistic policies
Recognises primary function of
the business
Allows flexibility in designing most
suitable SMS
Audits check for dead weight
Requires and encourages strong
safety culture
Covered by audits
Encourages staff engagement in
safety management
Requires safety promotion
Concerns SMS response
Safety Management - 39
SMS Content 1
What should organisation
consider?
What are overall safety
objectives
how do we know if we have
achieved them?


Who has safety responsibility
how are they supported?

What goes in SMS?
Definition of safety requirements
measurable
objective
achievable

Individual roles and responsibilities
Organisation
reporting structures
including independent lines of
reporting
committees, panels
Safety Management - 40
SMS Content 2
What should organisation
consider?
How do we ensure safety of our
basic activities, considering
environment
locations in which we operate
operations
especially those demanding
high levels of skill or
concentration
communication and
collaborative working
equipment
special challenges
hazardous materials

What goes in SMS?
Hazard identification and risk
assessment methodology
Procedures for hazard logging /
tracking
Approach to risk
control/reduction
Risk acceptance criteria
Basis for trade-off decisions
Specialist safety analysis
methodology
Safety-related working
procedures
Skills, training
Safety Management - 41
SMS Content 3
What should organisation
consider?
How do we ensure safety of
activities is maintained?




What do we do if things go
wrong?
What goes in SMS?
Performance monitoring
Data collection
Review and analysis
Trends and anomalies
Corrective actions
Policies for managing change

Emergency planning
Training and drills
Safety Management - 42
SMS Content 4
What should organisation
consider?
How do we ensure
organisation itself does not
become a source of risk?
What goes in SMS?
Policies for continual self-
review
Auditing
Policies for continual
improvement
Improving safety targets
Organisational learning
Cultural aspirations
Training
Communication